b'                     AUDIT REPORT\n\n                      Audit of National Source Tracking\n                        System Information System\n                                Development\n\n                      OIG-09-A-03 November 20, 2008\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                 UNITED STATES\n                         NUCLEAR REGULATORY COMMISSION\n                                  WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                                   November 20, 2008\n\nMEMORANDUM TO:              R. William Borchardt\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NATIONAL SOURCE TRACKING SYSTEM\n                            INFORMATION SYSTEM DEVELOPMENT (OIG-09-A-03)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, Audit of\nNational Source Tracking System Information System Development.\n\nThe report presents the results of the subject audit. Agency comments provided at the\nNovember 6, 2008, exit conference have been incorporated, as appropriate, into this\nreport.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG follow up as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, Security and Information Management Audit\nTeam, at 415-5911.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nFrank P. Gillespie, Executive Director, Advisory Committee on Reactor\n  Safeguards/Advisory Committee on Nuclear Waste\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety and\n  Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJim E. Dyer, Chief Financial Officer\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nBruce S. Mallett, Deputy Executive Director for Reactor\n and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Waste, Research,\n  State, Tribal, and Compliance Programs, OEDO\nDarren B. Ash, Deputy Executive Director for Information Services\n  and Chief Information Officer, OEDO\nVonna L. Ordaz, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nCynthia A. Carpenter, Director, Office of Enforcement\nCharles L. Miller, Director, Office of Federal and State Materials\n  and Environmental Management Programs\nGuy P. Caputo, Director, Office of Investigations\nThomas M. Boyce, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nMichael R. Johnson, Director, Office of New Reactors\nMichael F. Weber, Director, Office of Nuclear Material Safety and Safeguards\nEric J. Leeds, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nLuis A. Reyes, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nElmo E. Collins, Jr., Regional Administrator, Region IV\n\x0c                             Audit of National Source Tracking System Information System Development\n\n\n\nEXECUTIVE SUMMARY\n\n        BACKGROUND\n\n                The National Source Tracking System (NSTS) is an initiative of the\n                Nuclear Regulatory Commission (NRC) designed to allow\n                Agreement State1 and Federal Government agencies to track\n                transactions of specific types and quantities of radiological sealed\n                sources.2 This will include radiological sources held by the\n                Department of Energy, and by NRC and Agreement State\n                licensees. Licensees are businesses and other organizations\n                licensed to possess radiological sources. Tracking capabilities will\n                span the entire life cycle of each source, from manufacture or\n                import to receipt and transfer, ending with export, decay, or burial.\n\n                NRC awarded a contract worth approximately $15 million in\n                December 2005 for NSTS information system development,\n                operational support, and maintenance. This contract included\n                approximately $3.1 million to fund information system development.\n\n        PURPOSE\n\n                The audit objective was to evaluate the agency\xe2\x80\x99s management of\n                NSTS information system development and assess delays in the\n                development process. The report appendix contains information on\n                the audit scope and methodology.\n\n        RESULTS IN BRIEF\n\n                NRC had planned to develop the NSTS information system so that\n                licensees could begin reporting radiological source data in\n                November 2007. However, NRC\xe2\x80\x99s contractor did not complete\n                system development work on schedule. NRC has therefore\n                postponed system deployment until December 2008, and has\n                revised the licensee reporting deadline to January 2009. System\n                development delays resulted from a lack of clear policies and\n                procedures for review of key system security documentation, and\n                for coordinating efforts among internal stakeholders.\n\n1\n  The Atomic Energy Act of 1954 allows NRC to delegate to State governments some authority to\nlicense and regulate radiological materials. States that have signed formal regulatory agreements\nwith NRC are known as \xe2\x80\x9cAgreement States.\xe2\x80\x9d\n2\n Radioactive material may be in the form of a sealed source, which is the term used to describe\nradioactive material that is permanently sealed in a capsule or closely bonded in a solid form.\nThis report refers to radiological sealed sources as \xe2\x80\x9cradiological sources.\xe2\x80\x9d\n\n\n\n                                                i\n\x0c               Audit of National Source Tracking System Information System Development\n\n\n\n     Technological, organizational, and staffing issues were additional\n     factors cited by NRC staff. As a result of these delays, NRC\n     incurred added contract costs of approximately $2.8 million.\n     Furthermore, NRC has postponed by 18 months the deployment of\n     the NSTS information system, which agency officials consider a\n     top-priority project for improving accountability of radiological\n     sources. NRC is planning information systems to complement\n     NSTS in the near future; however, these systems could face similar\n     challenges if the agency does not address underlying causes of\n     problems encountered during the NSTS project.\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director of\n     Operations to improve NRC\xe2\x80\x99s management of information system\n     development.\n\nAGENCY COMMENTS\n\n     At a November 6, 2008, exit conference, NRC senior managers\n     agreed with the report contents and provided editorial suggestions.\n     This final report incorporates revisions made, where appropriate, as\n     a result of the agency\xe2\x80\x99s suggestions.\n\n\n\n\n                                  ii\n\x0c              Audit of National Source Tracking System Information System Development\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       C&A               Certification and Accreditation\n\n       CFR               Code of Federal Regulations\n\n       CSO               Computer Security Office\n\n       DOE               Department of Energy\n\n       FSME              Federal and State Materials and Environmental\n                         Management Programs\n\n       IAEA              International Atomic Energy Agency\n\n       NIST              National Institute of Standards and Technology\n\n       NMSS              Office of Nuclear Material Safety and\n                         Safeguards\n\n       NRC               Nuclear Regulatory Commission\n\n       NSTS              National Source Tracking System\n\n       OIS               Office of Information Services\n\n       OMB               Office of Management and Budget\n\n       PMM               Project Management Methodology\n\n\n\n\n                                 iii\n\x0cAudit of National Source Tracking System Information System Development\n\n\n\n\n [Page intentionally left blank.]\n\n\n\n\n                   iv\n\x0c                      Audit of National Source Tracking System Information System Development\n\n\n\nTABLE OF CONTENTS\n\n\n        EXECUTIVE SUMMARY..............................................................i\n\n        ABBREVIATIONS AND ACRONYMS ........................................ iii\n\n            I.     BACKGROUND .............................................................1\n\n            II.    PURPOSE .....................................................................5\n\n            III.   FINDING ........................................................................6\n\n                          NSTS INFORMATION SYSTEM DEVELOPMENT\n                          DELAYED PRIMARILY BY LACK OF CLEAR\n                          POLICIES AND PROCEDURES .....................................6\n\n                          RECOMMENDATIONS ...............................................13\n\n            IV.    AGENCY COMMENTS ................................................13\n\n\n        APPENDIX\n\n        SCOPE AND METHODOLOGY ................................................15\n\n\n\n\n                                            v\n\x0cAudit of National Source Tracking System Information System Development\n\n\n\n\n [Page intentionally left blank.]\n\n\n\n\n                   vi\n\x0c                             Audit of National Source Tracking System Information System Development\n\n\n\nI.    BACKGROUND\n\n                Introduction\n\n                The National Source Tracking System (NSTS) is an initiative of the\n                Nuclear Regulatory Commission (NRC) designed to allow\n                Agreement State3 and Federal Government agencies to track\n                transactions of specific types and quantities of radiological sealed\n                sources.4 This will include radiological sources held by the\n                Department of Energy (DOE), and by NRC and Agreement State\n                licensees. Licensees are businesses and other organizations\n                licensed to possess radiological sources. Tracking capabilities will\n                span the entire life cycle of each source, from manufacture or\n                import to receipt and transfer, ending with export, decay, or burial.\n\n                Emerging Threats Drive NSTS\n\n                After the terrorist attacks in the United States on September 11,\n                2001, NRC conducted a comprehensive review of nuclear material\n                security requirements. This review included a focus on radioactive\n                materials that could be used to create a radiological dispersal\n                device.5 NRC\xe2\x80\x99s review considered the changing domestic and\n                international threat environments and related U.S. Government-\n                supported international initiatives in the nuclear security area,\n                particularly activities conducted by the International Atomic Energy\n                Agency (IAEA). In May 2003, DOE and NRC jointly issued a report\n                titled \xe2\x80\x98\xe2\x80\x98Radiological Dispersal Devices: An Initial Study to Identify\n                Radioactive Materials of Greatest Concern and Approaches to\n                Their Tracking, Tagging, and Disposition.\xe2\x80\x99\xe2\x80\x99 This report\n                recommended development of a national tracking system to better\n                monitor the location and movement of radiological sources.\n\n\n\n\n3\n  The Atomic Energy Act of 1954 allows NRC to delegate to State governments some authority to\nlicense and regulate radiological materials. States that have signed formal regulatory agreements\nwith NRC are known as \xe2\x80\x9cAgreement States.\xe2\x80\x9d\n4\n Radioactive material may be in the form of a sealed source, which is the term used to describe\nradioactive material that is permanently sealed in a capsule or closely bonded in a solid form.\nThis report refers to radiological sealed sources as \xe2\x80\x9cradiological sources.\xe2\x80\x9d\n5\n These devices are commonly known as \xe2\x80\x9cdirty bombs.\xe2\x80\x9d According to NRC, most dirty bombs\nwould not release enough radiation to kill people or cause severe illness; rather, conventional\nexplosives in the device would cause greater harm than its radioactive components. However,\ndepending on the scenario, a dirty bomb explosion could create fear and panic, contaminate\nproperty, and require potentially costly cleanup.\n\n\n\n                                                1\n\x0c                            Audit of National Source Tracking System Information System Development\n\n\n\n                Legislative Basis for NSTS\n\n                The Energy Policy Act of 2005 requires NRC to issue regulations\n                establishing a mandatory tracking system for radiation sources in\n                the United States.6 The act sets requirements for identifying\n                individual radiological sources (e.g., by serial number), and for\n                reporting any change of possession or loss of control of these\n                materials. In addition, the system is to enable reporting through a\n                secure Internet connection. NRC fulfilled its legislative mandate in\n                November 2006 by amending the Code of Federal Regulations\n                (CFR) to include provisions for NSTS.7\n\n                Internal and External NSTS Stakeholders\n\n                The NSTS initiative involves internal NRC stakeholders and the\n                contractor selected to develop the system, as well as external\n                stakeholders representing other Federal Government agencies,\n                State governments, and licensees. NRC\xe2\x80\x99s Office of Federal and\n                State Materials and Environmental Management Programs (FSME)\n                is the NSTS information system owner. The Office of Nuclear\n                Material Safety and Safeguards (NMSS) was the initial system\n                owner before FSME became a separate agency office in October\n                2006. A project team composed of FSME staff manages NSTS\n                development, while a contractor performs most of the work needed\n                to design, build, and deploy the information system. NRC awarded\n                a contract worth approximately $15 million in December 2005 for\n                NSTS information system development, operational support, and\n                maintenance; this contract included approximately $3.1 million to\n                fund information system development. Other NRC stakeholders\n                include NRC\xe2\x80\x99s Office of Information Services (OIS), which provides\n                project management guidance and review, and the Computer\n                Security Office (CSO), which reviews system design documents to\n                ensure compliance with Federal Government standards for\n                securing information systems. Prior to the establishment of CSO\n                as a separate agency office in November 2007, OIS performed\n                these reviews. External stakeholders include DOE and Agreement\n\n\n\n6\n  Under the act, radiation source means a Category 1 source or a Category 2 source as defined\nin the IAEA Code of Conduct and any other material that poses a threat, as determined by the\nCommission, other than spent nuclear fuel and special nuclear material. Per NRC regulations, the\nterm \xe2\x80\x9cnationally tracked source\xe2\x80\x9d does not include material encapsulated solely for disposal, or\nnuclear material contained in any fuel assembly, subassembly, fuel rod, or fuel pellet.\n7\n Federal Register, Vol. 71, No. 216, November 8, 2006. 10 CFR Parts 20 and 32, \xe2\x80\x9cNational\nSource Tracking of Sealed Sources.\xe2\x80\x9d\n\n\n\n                                               2\n\x0c                 Audit of National Source Tracking System Information System Development\n\n\n\n      State officials, who will use NSTS to conduct oversight in their\n      respective jurisdictions, as well as licensees such as industrial\n      businesses, medical facilities, and research organizations.\n\n      Functional Overview of NSTS Information System\n\n      Once the NSTS information system is deployed, the contractor will\n      continue to maintain the system. Licensee personnel will report\n      data through a secure Internet connection; however, licensees will\n      also have the option of reporting information by mail, fax, or\n      telephone. DOE and Agreement State officials will have access\n      rights enabling them to view and enter data for licensees and\n      activities under their respective jurisdictions.\n\n      To reduce risk of unauthorized personnel accessing NSTS and\n      compromising its data, NRC will issue \xe2\x80\x9chard token\xe2\x80\x9d authentication\n      devices to authorized users. For NSTS, the hard token is a\n      cryptographic device that stores digital certificates and keys for use\n      in electronic authentication. Authentication by means of the hard\n      token requires the user to type the password for the hard token into\n      the user\xe2\x80\x99s computer during the login to NSTS. The combination of\n      the hard token device and the user\xe2\x80\x99s password is known as \xe2\x80\x9ctwo-\n      factor authentication.\xe2\x80\x9d Figure 1.1 shows a NSTS hard token\n      authentication card.\n\nFigure 1.1 Example of NSTS Hard Token Authentication Card\n\n\n\n\nSource: NRC\n\n      Once NSTS reporting deadlines take effect, licensees will be legally\n      obligated to conduct annual physical inventories of source materials\n      in their possession, and reconcile discrepancies found between\n      their physical inventories and data stored in NSTS. NRC asserts\n      that NSTS, on its own, will not ensure physical protection of\n      radiological materials. Rather, the agency expects NSTS to\n      improve accountability for radiological sources. NRC also expects\n\n\n\n\n                                    3\n\x0c                            Audit of National Source Tracking System Information System Development\n\n\n\n                 NSTS to complement two other systems being planned to enhance\n                 oversight of radiological source materials. These systems\xe2\x80\x94Web-\n                 based licensing and automated license verification\xe2\x80\x94are scheduled\n                 for deployment between 2010 and 2011.\n\n                 Information Technology Security and Project Management\n                 Guidance\n\n                 In developing the NSTS information system, NRC must comply with\n                 Federal Government regulations for information technology\n                 security. The National Institute of Standards and Technology\n                 (NIST) issues supplementary risk assessment guidance, as well as\n                 technical publications that prescribe standards for data protection\n                 and user authentication.8 The Office of Management and Budget\n                 (OMB) issues guidance to Federal agencies for assessing\n                 information system risk and security requirements.9 NRC\n                 Management Directive 12.5, \xe2\x80\x9cNRC Automated Information Security\n                 Program,\xe2\x80\x9d10 provides guidance for complying with Federal\n                 regulations, and assigns roles and responsibilities to agency staff\n                 for implementing security measures to protect NRC information and\n                 information systems.\n\n                 NRC staff responsible for managing information technology projects\n                 use the agency\xe2\x80\x99s Project Management Methodology (PMM), which\n                 became official guidance in June 2007.11 The PMM establishes\n                 agency processes to be followed throughout all phases of an\n                 information system\xe2\x80\x99s life cycle. The NSTS project team was among\n                 the first to use an early version of the PMM in 2006 as it replaced\n                 NRC\xe2\x80\x99s previous methodology.12 The PMM is still evolving, as the\n\n8\n Federal Information Processing Standards (FIPS) Publication 199, \xe2\x80\x9cStandards for Security\nCategorization of Federal Information and Information Systems,\xe2\x80\x9d February 2004; FIPS Publication\n200, \xe2\x80\x9cMinimum Security Requirements for Federal Information and Information Systems,\xe2\x80\x9d March\n2006; NIST Special Publication 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information\nSystems,\xe2\x80\x9d Rev. 1, December 2006; FIPS Publication 140-2, \xe2\x80\x9cSecurity Requirements for\nCryptographic Modules,\xe2\x80\x9d May 25, 2001.\n9\n OMB Circular No. A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d\nNovember 28, 2000; OMB M-04-04, \xe2\x80\x9cE-Authentication Guidance for Federal Agencies,\xe2\x80\x9d\nDecember 16, 2003.\n10\n  Management Directive 12.5, \xe2\x80\x9cNRC Automated Information Security Program,\xe2\x80\x9d revised\nSeptember 12, 2003.\n11\n  Management Directive 2.8, \xe2\x80\x9cProject Management Methodology,\xe2\x80\x9d Volume 2: Information\nTechnology, June 19, 2007.\n12\n     The System Development Life Cycle Management Methodology.\n\n\n\n                                               4\n\x0c                              Audit of National Source Tracking System Information System Development\n\n\n\n                  agency develops templates for project deliverables, and works to\n                  integrate resource planning, security, and other requirements into a\n                  mature methodology.\n\n                  Within the PMM, security reviews and approvals occur through a\n                  discrete process called Certification and Accreditation (C&A).13\n                  Certification requires a comprehensive assessment of the\n                  managerial, operational, and technical security controls in an\n                  information system to determine the extent to which these controls\n                  are implemented correctly, operate as intended, and fulfill system\n                  security requirements. Accreditation represents the decision of a\n                  senior agency official to authorize operation of an information\n                  system and to explicitly accept the risk to agency operations,\n                  agency assets, or individuals, based on the implementation of an\n                  agreed-upon set of security controls. Once in operation, an\n                  information system must be re-certified and re-accredited on a 3-\n                  year cycle.\n\n\nII.      PURPOSE\n\n                  The audit objective was to evaluate the agency\xe2\x80\x99s management of\n                  NSTS information system development and assess delays in the\n                  development process. The report appendix contains information on\n                  the audit scope and methodology.\n\n\n\n\n13\n      CSO manages this process for NRC information systems.\n\n\n\n                                                 5\n\x0c                              Audit of National Source Tracking System Information System Development\n\n\n\nIII. FINDING\n\n                  NSTS Information System Development Delayed Primarily by\n                  Lack of Clear Policies and Procedures\n\n                  NRC had planned to develop the NSTS information system so that\n                  licensees could begin reporting radiological source data in\n                  November 2007. However, NRC\xe2\x80\x99s contractor did not complete\n                  system development work on schedule. NRC has therefore\n                  postponed system deployment until December 2008, and has\n                  revised the licensee reporting deadline to January 2009. System\n                  development delays resulted from a lack of clear policies and\n                  procedures for review of key system security documentation, and\n                  for coordinating efforts among internal stakeholders.\n                  Technological, organizational, and staffing issues were additional\n                  factors cited by NRC staff. As a result of these delays, NRC\n                  incurred added contract costs of approximately $2.8 million.\n                  Furthermore, NRC has postponed by 18 months the deployment of\n                  the NSTS information system, which agency officials consider a\n                  top-priority project for improving accountability of radiological\n                  sources. NRC is planning information systems to complement\n                  NSTS in the near future; however, these systems could face similar\n                  challenges if the agency does not address underlying causes of\n                  problems encountered during the NSTS project.\n\n\n                  NSTS Timelines and Information System Development Plans\n\n                  In November 2006, NRC amended its regulations14 to establish\n                  NSTS reporting requirements for licensees that possess specific\n                  types of radiological sources. The new regulations required\n                  licensees to begin reporting Category 1 sources by November 15,\n                  2007, and Category 2 sources by November 30, 2007.15 The\n                  transactions to be reported to NSTS include manufacture, transfer,\n                  receipt, disassembly, and disposal of these radiological sources.\n\n                  In addition to these licensee reporting dates, NRC set internal\n                  benchmarks for developing the information system to be used for\n                  processing radiological source data. In 2004, the NSTS sponsor\n                  office16 conducted a business case analysis to evaluate four NSTS\n\n14\n     10 CFR 20.2207.\n15\n  Category 1 and 2 sources are defined in the IAEA Code of Conduct, Annex I, for specific\nradionuclides.\n16\n     At this point, NMSS was the system sponsor.\n\n\n                                                   6\n\x0c                             Audit of National Source Tracking System Information System Development\n\n\n\n                information system options, and selected one particular option on\n                the basis of cost, benefit, and risk to NRC. This analysis described\n                how the recommended information system would operate and\n                included a project plan for developing the system over a 19-month\n                period. The project plan broke system development down into\n                discrete tasks that were linked to internal review milestones.\n                Further, the project plan assumed a \xe2\x80\x9cmodular\xe2\x80\x9d design approach,\n                which was intended to enable different information system\n                elements to be built independently of one another so that delays in\n                one element would not hold up the entire project. In December\n                2005, NRC awarded a contract to build the NSTS information\n                system. This contract reflected NRC\xe2\x80\x99s business case analysis by\n                funding system development and initial deployment support17 for a\n                24-month period beginning December 22, 2005, and ending\n                December 31, 2007. The contract\xe2\x80\x99s statement of work detailed\n                information system development tasks to be performed by NRC\xe2\x80\x99s\n                contractor and established project milestones. Together, these\n                documents show that NRC staff intended\xe2\x80\x94and exercised due\n                diligence in planning\xe2\x80\x94to deploy the NSTS information system to\n                meet licensee reporting deadlines set for November 2007.\n\n                Information System Development Delays\n\n                In October 2007, NRC announced that NSTS implementation would\n                be delayed for technical reasons, and subsequently revised\n                regulations to require licensee reporting of radiological source data\n                by January 31, 2009, rather than the previous deadlines in\n                November 2007. NRC attributed this delay to the emergence of\n                new technology that would enhance NSTS security. The NSTS\n                information system is unique insofar as it requires a high level of\n                security, while also allowing access to NRC and DOE staff, as well\n                as non-Federal Government users, including Agreement State\n                officials and licensee personnel. NRC staff determined that NSTS\n                would require a high level of security because, in their estimate, a\n                system breach could compromise sensitive data and severely\n                impact public health, safety, and security.18\n\n\n\n\n17\n   NSTS contract documents refer to system development as \xe2\x80\x9cTask 1,\xe2\x80\x9d which entails 31 subtasks\nto be conducted by NRC\xe2\x80\x99s contractor. For instance, Task 1.1 is \xe2\x80\x9cObtain Development\nEnvironment Purchase Approval\xe2\x80\x9d; Task 1.2 is \xe2\x80\x9cDevelop Software Development Plan.\xe2\x80\x9d\n18\n   NIST and OMB authentication guidance prescribes system security standards based upon\npotential effects of a system breach resulting from a user authentication error. More severe\neffects require a higher level of authentication assurance.\n\n\n\n                                                7\n\x0c                                 Audit of National Source Tracking System Information System Development\n\n\n\n                   NSTS information system development concluded in September\n                   2008. NRC plans on deploying NSTS in December 2008 to meet\n                   the revised licensee reporting deadline of January 31, 2009. In the\n                   interim, CSO staff must review C&A documentation for NSTS and\n                   grant its sponsor (FSME) either full or interim authority to operate\n                   the system. NRC must also verify the identity of prospective\n                   system users, and then issue authentication devices to authorized\n                   users.19 In addition, NRC plans to provide training for Agreement\n                   State officials and licensee personnel. Figure 1.2 shows key\n                   events and dates in the development of the NSTS information\n                   system.\n\n           Figure 1.2: Timeline of NSTS Information System Development\n\n\n     December               November                                  November                                  January\n       2004                   2006                                      2007                                     2009\n\n                 December                    June       October                    September       December\n                   2005                      2007        2007                        2008            2008\n\n\n\n\n                                            Proposed        NRC                     Staff report    Projected\n                  NSTS\n                                             NSTS       announces                     NSTS         deployment\n                 contract\n                                           deployment      NSTS                    development       date of\n                 awarded\n                                              date      delayed for                  complete        NSTS\n      NMSS                                               technical      Original                              New NRC\n                            10 CFR 20,\n     submits                32 reporting                  reasons        NRC                                  regulation\n     Business                regulation                               regulation                               reporting\n       Case                    issued                                  reporting                                date for\n     Analysis                                                           date for                                 NSTS\n                                                                         NSTS\n\n           Source: OIG analysis of NRC and Federal Register documents.\n\n                   Lack of Clear Guidance for Project Management and System\n                   Documentation, and for Internal Stakeholder Coordination\n\n                   Delays in NSTS development resulted in part from the lack of clear\n                   standards for project management and system design\n                   documentation, and from lack of clear direction for internal\n                   stakeholder coordination. According to NRC staff, technological\n                   challenges inherent in NSTS, NRC organizational issues, and\n                   staffing problems were additional factors.\n\n\n\n\n19\n     A contractor will perform these tasks for NRC.\n\n\n\n                                                           8\n\x0c                            Audit of National Source Tracking System Information System Development\n\n\n\n               Information System Documentation\n\n               Delays in NSTS information system development were caused in\n               part by the lack of clear standards for project management and\n               system security documentation. The NSTS project team was\n               among the first to use NRC\xe2\x80\x99s new PMM as the agency transitioned\n               away from its previous guidance for managing information system\n               development. OIS was supposed to provide NRC and contractor\n               staff with PMM guidance and templates to help them prepare\n               system design documents, some of which are required for the C&A\n               process. OIS had not finalized these templates when NSTS\n               information system development began in January 2006, and\n               NSTS project staff had to revise their initial submissions multiple\n               times as templates changed, thereby resulting in extra work.\n               Moreover, senior OIS and NMSS staff acknowledged in a\n               November 2005 project kickoff meeting the need to facilitate C&A\n               by creating documentation guidance and quality standards early in\n               the NSTS information system development process, with January\n               2006 as the goal. Nevertheless, staff who were involved in the\n               NSTS project in early 2006 told auditors that they lacked quality\n               standards to guide preparation and review of key system design\n               documentation. This lack of guidance is evidenced by disputes\n               among NRC staff about whether a System Architecture Document20\n               was required for C&A, the level of detail required in this document\xe2\x80\x99s\n               preliminary drafts, and whether specific aspects of system security\n               could be elaborated at a later stage in the project. Staff reported\n               similar problems with standards for writing the system\xe2\x80\x99s Security\n               Categorization, which serves as the basis for assessing security\n               risks and selecting appropriate controls. Without consensus about\n               quality standards for system design and security documents, NSTS\n               project staff and OIS reviewers became involved in prolonged\n               review and revision cycles.\n\n               Coordination of Internal Stakeholder Efforts\n\n               NSTS information system development delays also resulted from a\n               lack of direction to coordinate internal stakeholders\xe2\x80\x99 work on the\n               project. At the November 2005 project kickoff meeting, participants\n               acknowledged the need for close coordination among NRC staff\n               involved in NSTS development, as well as the need for early review\n               of system security plans. In January 2006, OIS assembled a\n               special \xe2\x80\x9cTiger Team\xe2\x80\x9d to serve as a focal point for communications\n\n20\n  The System Architecture Document provides a comprehensive overview of an information\nsystem\xe2\x80\x99s architecture. It discusses design goals, constraints, and assumptions, as well as\nhardware layout and other technical aspects of system design.\n\n\n\n                                               9\n\x0c           Audit of National Source Tracking System Information System Development\n\n\n\namong different OIS offices, the NSTS project team, and NRC\xe2\x80\x99s\ncontractor. However, OIS and NSTS project staff told auditors that\nthis approach did not meet its intended purpose of facilitating staff\ncommunication and coordination. Some Tiger Team staff reported\nthat their roles and responsibilities were not clearly defined.\nSeveral NSTS project staff perceived a lack of coordination within\nOIS, despite Tiger Team efforts, as PMM and C&A guidance often\nchanged without a clear reason. Also, an OIS official reportedly\ninstructed OIS\xe2\x80\x99s senior security official not to communicate directly\nwith NRC\xe2\x80\x99s contractor and to relay communications through the\nTiger Team. In retrospect, staff recommended to auditors that\nperiodic reviews involving key internal stakeholders such as OIS\xe2\x80\x99s\nsenior security official, starting early in the development process,\ncould have provided opportunities to address potential system\ndesign problems and resolve them before development work\nproceeded.\n\nThe lack of coordination among internal NRC stakeholders\nadversely affected the contractor\xe2\x80\x99s work. In one instance,\ninstallation of the contractor\xe2\x80\x99s data servers to be used in building\nthe NSTS information system was delayed while NRC staff\ndisputed whether the servers and NRC networks would be\nadequately secured. In another instance, which reportedly had\ngreater bearing on the NSTS development schedule, OIS and\nNSTS project staff team took differing positions on the proper\nmeans for securing the system, particularly with regard to user\nauthentication. OIS\xe2\x80\x99s senior security official began to review system\ndesign plans and raise concerns about security 6 months after the\ncontractor had begun development work. In addition, OIS did not\napprove the Security Categorization, which the contractor needed\nto complete the system Risk Assessment, until 10 months after\ndevelopment began. As contract funds ran low and NRC staff had\nnot reached agreement with the contractor regarding outstanding\nsystem design issues, NSTS project team staff suspended system\ndevelopment work. In the interim, the contractor conducted market\nresearch to identify commercially available security solutions for the\nNSTS project. OIS officials and NSTS project team staff eventually\nresolved this impasse through high-level meetings with the\ncontractor\xe2\x80\x99s management and its senior subject matter expert.\nNRC staff estimated that this dispute prolonged the NSTS\ndevelopment schedule by approximately 1 year.\n\n\n\n\n                             10\n\x0c                             Audit of National Source Tracking System Information System Development\n\n\n\n                Technical, Organizational, and Staffing Challenges\n\n                According to NRC staff, problems with documentation standards\n                and internal stakeholder coordination were compounded to some\n                extent by technical challenges inherent in NSTS, NRC\xe2\x80\x99s\n                decentralized approach to information system management, and\n                staff turnover. First, the user authentication issues described\n                above were unique to NSTS. The system requires a high level of\n                security to protect sensitive data; however, approximately 15,000\n                personnel from NRC, other Federal Government agencies,\n                Agreement State agencies, and licensee entities will have access\n                to the system. NRC staff said that an information system of this\n                complexity was unprecedented among civilian Federal Government\n                agencies, and that NRC had no model on which to base its work.\n                Second, one staff member believed that internal stakeholder\n                coordination for NSTS was better than for most NRC information\n                systems; however, several others claimed that integration of\n                priorities and plans among OIS and system sponsors is a common\n                problem at NRC, and that closer coordination starting at the outset\n                of NSTS development could have prevented disputes over system\n                design that impacted the project schedule. Third, staff reported that\n                OIS personnel shortages and turnover adversely affected OIS\xe2\x80\x99s\n                work on NSTS by disrupting continuity and lengthening review\n                time.21 Auditors analyzed NRC staff hour charges for NSTS\n                development work and found that OIS work hours surged during\n                the project\xe2\x80\x99s initial period, and again during its final stages in fiscal\n                year 2008. While the data may reflect reasonable workflow trends,\n                the data do not capture OIS\xe2\x80\x99s work on concurrent projects, which\n                could have compounded the burden associated with NSTS. Figure\n                1.3 shows workload trends for NSTS information system\n                development from the first quarter of fiscal year 2006 through the\n                third quarter of fiscal year 2008.\n\n\n\n\n21\n  CSO reports that it has mitigated the personnel shortfall problem by increasing the number of\nNRC staff assigned to information system security tasks. Nevertheless, an August 2008 NRC\nassessment of the agency\xe2\x80\x99s information system development processes recommended that NRC\nreview the adequacy of current staffing levels for technical personnel, particularly as information\nsystems grow in complexity and criticality to NRC\xe2\x80\x99s mission.\n\n\n\n                                                11\n\x0c                         Audit of National Source Tracking System Information System Development\n\n\n\nFigure 1.3: Staff Hours Charged for NSTS Information System\nDevelopment, 1st Quarter FY 2006 \xe2\x80\x93 3rd Quarter FY 2008\n\n\n\n\n                1200\n\n                1000\n                                                                                           NRC\n                800                                                                       Offices\n         NRC\n         Staff                                                                             NMSS/FSME\n         Hours  600\n                                                                                           OIS\n        Charged\n                 400                                                                       Other\n\n\n                 200\n\n                    0\n                    FY 1\n\n                    FY 2\n\n                    FY 3\n\n                    FY 4\n\n                    FY 1\n\n                    FY 2\n\n                    FY 3\n\n                    FY 4\n\n                    FY 1\n\n                    FY 2\n\n                          3\n                       6Q\n\n                        Q\n\n                        Q\n\n                        Q\n\n                        Q\n\n                        Q\n\n                        Q\n\n                        Q\n\n                        Q\n\n                        Q\n\n                        Q\n                      06\n\n                      06\n\n                      06\n\n                      07\n\n                      07\n\n                      07\n\n                      07\n\n                      08\n\n                      08\n\n                      08\n                     0\n                  FY\n\n\n\n\n                                      Fiscal Year and Quarter\nSource: OIG analysis of NRC Human Resource Management System data.\n\n              Delays Increase Contract Cost, Postpone System Deployment,\n              and Raise Questions About Future NRC Information Systems\n\n              As NSTS information system development approached the end of\n              its initial contract schedule with key system design issues\n              unresolved, NRC modified the baseline contract to increase funds\n              for development tasks by approximately $2.8 million. This\n              represents an increase of nearly 90 percent over the initial\n              development task cost ceiling of $3.1 million, and only reflects cost\n              growth directly attributable to extension of the system development\n              schedule. In addition to these financial costs, NRC has postponed\n              by approximately 18 months deployment of an information system\n              that is designed to enhance accountability of radiological sources.\n              Senior NRC officials and working-level staff have considered\n              development of the NSTS information system a top agency priority.\n              However, delays in system development and their underlying\n              causes raise concerns about NRC\xe2\x80\x99s management of future\n              information systems, particularly since NRC is planning two\n              systems to complement NSTS. These and other information\n\n\n\n\n                                           12\n\x0c                  Audit of National Source Tracking System Information System Development\n\n\n\n       systems could face similar delays and cost overruns if the agency\n       does not mitigate or resolve procedural and organizational factors\n       that hampered timely development of NSTS information system.\n\n       Recommendations\n\n       OIG recommends that the Executive Director for Operations:\n\n       1.   Establish policies and procedures that:\n\n            a. Specify quality standards for C&A and PMM documents.\n\n            b. Specify sequence and protocols for submission and review\n               of C&A and PMM documents, to include review of\n               milestones linked to project schedules.\n\n            c. Clarify staff roles, responsibilities, and qualifications to\n               better integrate internal stakeholders efforts.\n\n       2.   Require staff involved in information systems development to\n            undergo periodic training on these policies and procedures.\n\n\nIV. AGENCY COMMENTS\n\n       At a November 6, 2008, exit conference, NRC senior managers\n       agreed with the report contents and provided editorial suggestions.\n       This final report incorporates revisions made, where appropriate, as\n       a result of the agency\xe2\x80\x99s suggestions.\n\n\n\n\n                                    13\n\x0cAudit of National Source Tracking System Information System Development\n\n\n\n\n [Page intentionally left blank.]\n\n\n\n\n                  14\n\x0c                  Audit of National Source Tracking System Information System Development\n\n\n\n                                                                             Appendix\nSCOPE AND METHODOLOGY\n\n       Auditors evaluated the agency\xe2\x80\x99s management of NSTS information\n       system development. This audit was included as a planned audit in\n       the fiscal year 2008 OIG Annual Plan.\n\n       The OIG audit team reviewed Federal Government information\n       technology guidance issued by the OMB and NIST, as well as NRC\n       internal guidance, including Management Directive 12.5, \xe2\x80\x9cNRC\n       Automated Information Security Program\xe2\x80\x9d; and Management\n       Directive 2.8, \xe2\x80\x9cProject Management Methodology.\xe2\x80\x9d\n\n       Auditors interviewed staff from FSME, OIS, and CSO who have\n       been involved in NSTS information system development. Auditors\n       also reviewed Federal Government regulations, Federal Register\n       notices, NRC public affairs material, NSTS contract documents, e-\n       mail correspondence, NSTS information system design documents,\n       briefing materials, and automated project management files.\n       Auditors analyzed staff interview comments in conjunction with this\n       documentary evidence to chronicle events and to identify problems\n       in NSTS information system development and underlying causes of\n       these problems.\n\n       Auditors further analyzed the NSTS information system contract\n       and modifications to calculate contract costs and to identify costs\n       directly related to system development delays. Auditors also\n       obtained staff hour data for fiscal year 2006 through the third\n       quarter of fiscal year 2008 to calculate staff hours charged to time\n       codes associated with NSTS information system development.\n\n       This work was conducted at NRC headquarters from April 2008\n       through September 2008 in accordance with generally accepted\n       Government auditing standards. Those standards require that the\n       audit is planned and performed with the objective of obtaining\n       sufficient, appropriate evidence to provide a reasonable basis for\n       any findings and conclusions based on the stated audit objectives.\n       OIG believes that the evidence obtained provides a reasonable\n       basis for the report findings and conclusions based on the audit\n       objective. The audit work was conducted by Beth Serepca, Team\n       Leader; Paul Rades, Audit Manager; and James McGaughey,\n       Senior Management Analyst.\n\n\n\n\n                                    15\n\x0c'